5 GDPR myths busted

Do you really need consent for every customer communication when the new regulation comes into force?

With the General Data Protection Regulation (GDPR) set to come into force on 25 May 2018, there is a lot of chatter in the industry about what the new rules actually mean for marketers and customer experience practitioners handling personal customer data.

But what is true and what is sensationalist fiction?

At GDPR Forum last week, several experts dived into some of the biggest myths surrounding the new regulations and in clear terms outlined what the changes mean for organisations preparing now.

SEE ALSO: 5 steps to becoming GDPR ready

1) Massive fines will bankrupt SMEs

Sensationalist headlines claim that there will be fines for small and medium-sized enterprises (SMEs) that could bankrupt their company. In reality, the huge £20m fine mentioned in the news does not affect SMEs. This is purely to warn 'the very big corporations that are doing very bad things'.

2) You need consent for everything


Consent is mostly related to direct marketing.

Consent is one of the buzzwords thrown around alongside GDPR, and while you need consent from customers for some elements under the new law, there are a lot of ‘common sense’ things where explicit consent isn’t needed. These cover: contractual necessity, legal obligation, protection of vital interests, public interest necessity and legitimate interests.

For example, if you swap business cards at a conference, it’s assumed you will contact each other and, likewise, if you’re fulfilling a contract for a client and you need to send them additional information it’s only logical you’re allowed to do so without having explicit consent. Consent is only needed when you cannot rely on any of the above exceptions and is mostly related to direct marketing.


3) Data protection is an IT issue

There is no technology available that will make you GDPR compliant. Data protection is a boardroom issue, and while IT is involved, so is operations, HR, sales and marketing. It’s about the people and processes first. Though tech can of course help with particular issues, such as data discovery, record keeping and security.

4) You need a Data Protection Officer


A DPO does not have to be an employee, it can be an external consultant.

This was mentioned in an early draft of the GDPR and no longer applies to the majority of businesses. You must appoint a Data Protection Officer (DPO) only if you’re a public authority, your core activities require regular and systematic monitoring of data subjects, and your core activities consist of large scale processing of special categories of data.

Furthermore, a DPO does not have to be an employee, it can be an external consultant too. Though a lot of people are currently jumping on this bandwagon so if you go down this route you have to make sure your future DPO has been doing this for years and not just the last few months.

5) All data breeches have to be reported within 72 hours

While this is not a straight-up myth, this is only partly true. Data breaches must indeed be reported to the Information Commissioner's Office (ICO) by the controller, unless ‘unlikely to result in a risk to the rights and freedoms of natural persons’. So if it’s encrypted, retrieved unopened (in the case of snail mail) or it involves a bunch of corporate email addresses, then you’re likely going to be okay.

The 72 hour time frame is also somewhat flexible as the regulations state that obligation is ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it’.